Towards a Proof-Irrelevant Calculus of Inductive Constructions

HAL Id: hal-01114573

https://hal.inria.fr/hal-01114573v2

Submitted on 4 Mar 2016

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come from teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires

Towards a Proof-Irrelevant Calculus of Inductive

Constructions

Philipp Haselwarter

To cite this version:

Philipp Haselwarter. Towards a Proof-Irrelevant Calculus of Inductive Constructions. Programming Languages [cs.PL]. 2014. �hal-01114573v2�

Towards a Proof-Irrelevant Calculus of Inductive

Constructions

Philipp Haselwarter

under the supervision of Matthieu Sozeau, PPS and 𝜋𝑟2

2nd September 2014

Summary

The general context

Through the Curry-Howard correspondence, dependent type theories are ap-pealing to both the mathematical and the programming community. To the first, they provide an expressive logical framework, in which mathematics can be developed. To the second, they offer a functional programming lan-guage that allows to state precise invariants programs have to respect and to build certified proofs thereof.

Several dependent type systems have been investigated and implemented, with some early ones geared more towards the mathematical community [Con+86; Pol94; Coq12], called proof-assistants, and later putting a stronger accent on their viability as a programming environment [McB99; Nor07; Soz08]. The Calculus of Inductive Constructions (pCIC) is one such theory that attempts to stay faithful to the correspondence and bridge the two worlds of programming and proving. It is implemented in the Coq system [Coq12] and Matita [Asp+11].

The research problem

The utilisation of Coq as a programming language as advocated by Sozeau relies on extending pCIC with a principle known as proof-irrelevance, which means that any two proofs of a logical proposition are identified by the sys-tem. This principle does not hold in the current theory and implementation of Coq, but as proofs appear as parts of dependently typed programs, they get in the way during their verification. Furthermore, it corresponds to

the mathematical intuition that the existence of a proof of a theorem is more important than its exact wording. In fact, under this aspect, there have been demands for proof-irrelevance in the community of interactive theorem provers since the beginning of their development, for instance in automath [Ned94, Sec. D.3]. We studied how to extend pCIC in order to incorporate this principle.

Although there was a demand by the users of (intensional) dependent type theories, the first occasions where proof-irrelevance has been studied were through semantic models [Hof97; MW03]. A presentation of a syntax of a theory accommodating for proof-irrelevance has been given by Pfenning [Pfe01] for a simply typed calculus, and by Werner for a fragment of pCIC [Wer06] and recently for a restricted form of irrelevance in Martin-Löf Type Theory with an implementation in Agda [AS12].

Our approach has a more semantic inspiration, building on the insights from the treatment of propositions by Awodey and Bauer [AB04] and in homotopy type theory [Pro13].

My contribution

My solution relies on the distinction of the universe of propositions or spe-cifications from that of computations. The former is represented in Coq as the sort Prop, the latter as Set. Currently, this distinction is mainly used for the extraction of programs, during which proofs get erased, but the only difference inside the system is that only Prop allows for impredicative definitions.

We make a sharper separation between the two, which allows us to treat propositions as definitionally equal inside the system. To start with, we give a more modular presentation of pCIC, following that of [HS13]. We then refine this calculus by adding specific rules for the inhabitants of the pro-positional universe, in particular implementing definitional proof-irrelevance. Finally, we clarify the rôle of the two new type-formers that allow the in-teraction between the propositions and the computationally relevant terms. This allows us to have both a computationally relevant and an irrelevant, but still substitutive, equality type.

The resulting system is an extension of pCIC that brings it closer to an extensional type theory, while retaining the good properties of an intensional type theory. Notably, type checking remains decidable, and the extension of the system we give should be conservative.

Arguments supporting its validity

During our investigation we verified that we can indeed still express the same reasoning principles on our new propositions as in pCIC, in particu-lar with regards to the “singleton elimination” property of some of Coq’s propositions. Using the aforementioned irrelevant equality, we were able to encode the inductive families we considered in our examples in a way that is faithful to their traditional presentation as schemata. We have not attemp-ted any proofs for the system yet, but hope that the modular presentation will facilitate them and allow for a formalisation.

The construction for irrelevance we present should be portable to other intentional dependent type theories. It could for instance be added as a universe to Martin-Löf Type Theory as an alternative notion of proof-irrelevance.

Summary and future work

The system as it is presented now seems like a stable enough basis to start investigating its meta-theory. In particular, we want to show that subject reduction holds and that we can give an algorithmic version of convertib-ility, proving normalisation. We hope to continue the work of Abel on normalisation-by-evaluation for dependent type theories with impredicativ-ity [Abe13] to construct such an algorithm, which should then be implemen-ted to bring proof-irrelevance to the end-user. The notion of strict equality and further links with propositional truncation as it is presented in homo-topy type theory (HoTT) should be explored.

Acknowledgements

Matthieu Sozeau deserves my fullest gratitude. He set me on the track of this question, which I highly enjoyed working on, and was a source of great insight in the vast world of type theory.

1 Introduction and Related Work

1.0.0.1 Syntax Conventions There are two different notions of

equal-ity in type theory, the definitional and the propositional one. Definitional equality is introduced by a judgement just like type-hood and defines when two objects are indistinguishable inside the theory. The propositional one on the other hand is a primitive type constructor that represents the lo-gical connective of equality. As such, it can be hypothesised and can model arbitrarily complex provable equations.

• 𝐼𝑑 𝐴 𝑥 𝑦 : the equality type; also written as 𝑥 =_𝐴𝑦

• 𝑥 ≡ 𝑦 ∶ 𝐴 : definitional equality, in our case always with respect to a type

• 𝑥 ∶≡ 𝑡 : 𝑥 can be unfolded transparently into its definition 𝑡 • 𝑡[𝑢/𝑥] : in 𝑡, 𝑢 is substituted for 𝑥

Definition 1. A type is said to be definitionally (respectively

proposition-ally) (proof-) irrelevant if all of its inhabitants are definitionally (resp. pro-positionally) equal.

In the following, unless stated otherwise, we will use proof-irrelevance to mean definitional proof-irrelevance. Conversion and definitional equality are used interchangeably.

1.1 Motivation

1.1.1 Algebraic Presentation: De Bruijn Criterion

The idea that a proof-assistant, or any piece of software that we want to have substantial confidence in, should be built around a small core is known as the de Bruijn criterion [BW05], after the late N.G. de Bruijn, who pi-oneered it for the automath system [Ned94]. This ideal seems in closer reach for a closed theory, rather that an open theory, a style which has been advocated to accommodate for user-definable inductive families [Dyb94]. In-stead of the traditional monolithic presentation of the Calculus of Induct-ive Construction, we thus follow Herbelin and Spiwack [HS13] and gInduct-ive a more modular, algebraic presentation of the Proof-Irrelevant Calculus of Constructions �CIC. Instead of relying on the experienced readers intuition to extrapolate, we avoid the use of ellipses in our definitions. We feel that this facilitates understanding and hope that proof-assistants will share this reaction, that is to say this presentation should more easily lend itself to formalisation.

1.1.2 Proof-Irrelevance: Poincaré Principle

Poincaré is known for attacking logic and emphasising the rôle of intuition in mathematics: “Obvious” computations should not warrant explanations. In our setting, this can be understood as the fact that they should hold as

conversions [Bar97]. There are, however, issues with this perspective:

• Obvious is not well-defined. For example, some systems allow 𝑛 + 0 and 0 + 𝑛 to be convertible thanks to rewriting but Coq’s intentional theory cannot deal with this as a conversion. Indeed, it requires an induction to show this equality.

• A useful principle that seems reasonable to add is that of Unicity of Identity Proofs (UIP), which states that any two proofs of the equality type can be identified definitionally, as the inductive definition of the equality type has a single constructor with no computational content. While UIP is not provable in Type Theory, it can consistently be added as an axiom.

• The Poincaré principle is inherently in tension with the de Bruijn Criterion: Definitional equalities have to be verified by an algorithm which might be complex to implement and verify, thus potentially lowering the trust in the system.

With �CIC we strengthen the conversion, by implementing definitional proof-irrelevance (which implies UIP for propositional equalities), thus ex-tending the class of “obvious” identifications the system can handle auto-matically. Here we benefit from the algebraic presentation, as it confines the propositions, which have to be treated specially, to an orthogonal part of the formalism.

1.1.3 Benefits for programming and proving with dependent types 1.1.3.1 Subset types The addition of proof-irrelevance makes the sys-tem much more pleasant when working with dependently typed programs. In particular, the notion of subsets becomes closer to informal practice. Sub-sets are defined as pairs of a term and a proof of a proposition about it, hence two inhabitants of the same subset type become definitionally equal as soon as their underlying terms are convertible. In the original theory, such con-versions would have to be witnessed by propositional equalities which most of the time have to appeal to proof-irrelevance as an axiom. This is the main obstacle to a computationally well-behaved and sound interpretation

of the Program extension of Sozeau [Soz07], which develops a language for strongly specified programs based on subset types.

1.1.3.2 Computational Behaviour As identified in [Wer06], who

pro-poses a proof-irrelevant variant of CC based on annotations of binders, using a proof-erased version of programs can make conversion checking more effi-cient. While our proposal is not to erase proofs but to tag them and treat them as indistinguishable objects, we will get the same benefits in terms of efficient conversion.

1.2 Related Work

1.2.1 Curry-Howard (-de Bruijn-Lambek-BHK-…) Correspond-ence

The “main slogans” of the Curry-Howard correspondence are “propositions-as-types”, “proofs-as-programs” and “formulas-as-types” [SU06]. This idea is manifested in pCIC which has a distinguished sort Prop for propositions, which morally is where logic should be done, as it gets erased by extraction and allows for impredicativity. In fact logic is usually concerned with the existence rather than the exact shape of proofs, and there is a consensus [Thi86; AB04] that there is a correspondence between propositions and types rather than an isomorphism. This will be reflected by our even sharper separation of Prop and Type.

1.2.2 Same same but different: Notions of Equality

While most constructions of type theory have evolved very little since their introduction, the treatment of equality is still an area of active research.

1.2.2.1 Definitional Equality There are two options for introducing

definitional equality. It can be represented as an untyped, external relation on two terms 𝑢, 𝑣, denoted 𝑐𝑜𝑛𝑣 𝑢 𝑣, usually governed by a set of rewriting rules deciding when two terms are convertible. This is the way it was intro-duced in a early version of Martin-Löf Type Theory (MLTT) [Mar98] and in Pure Type Systems, including the Calculus of Constructions. Alternatively, it can be made into a judgement Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴, defined on a type by type basis, which expresses that two terms 𝑢, 𝑣 are equal with respect to the type 𝐴 they inhabit. The latter definition allows to handle extensional rules such as �-/uniqueness-principles more easily, thanks to the available type inform-ation. This approach is used in later presentations of MLTT [Mar82]. For

type-checking to remain decidable, this judgement needs to be decided by an algorithm, usually employing techniques of normalisation-by-evaluation.

1.2.2.2 Propositional Equality Type theories represent propositional

equality as an inductive type introduced by the reflexivity constructor refl_𝐴𝑡 ∶ 𝐼𝑑 𝐴 𝑡 𝑡. In extensional theories, such as NuPrl [Con+86] there is a reflec-tion rule that states that proposireflec-tional equalities are included in the defini-tional equality: Γ ⊢ 𝑒 ∶ 𝐼𝑑 𝐴 𝑢 𝑣 implies Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴, giving up any hope for decidability of type checking.

In intentional type theories, this implication only holds in empty con-texts · ⊢ 𝑒 ∶ 𝐼𝑑 𝐴 𝑢 𝑣 ⟹ · ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴 which follows from the canonicity property of type theory, which ensures that 𝑒 must be an application of refl.

1.2.2.3 Streicher’s Axiom K One might expect that a similar property would still hold under contexts, that is for any proof of equality Γ ⊢ 𝑒 ∶ 𝐼𝑑 𝐴 𝑥 𝑥, there is a proof 𝑝 such that Γ ⊢ 𝑝 ∶ 𝐼𝑑 (𝐼𝑑 𝐴 𝑥 𝑥) 𝑒 (refl_𝐴𝑥). This is known as Streicher’s axiom K and is equivalent to the Uniqueness of Identity Proofs principle (UIP). But Streicher and Hofmann showed [HS96] that there are models of type theory that do not validate UIP. On the other hand, there are variants of type theory which do model this principle, notably Observational Type Theory (OTT) [AMS07]. OTT was developed as a core type theory for a dependently typed programming language (Epigram), in which UIP is crucial to interpret dependent pattern matching.

While including K into the theory might seem like a reasonable choice for a dependently-typed programming language such as Epigram or Idris, we prefer for a proof assistant to keep the underlying logical system independent of this axiom, especially knowing that it is inconsistent with the homotopy interpretation of type theory [Pro13]. In fact, there has been some effort in the Agda community to modify their dependent pattern matching construct which made K provable [CDP14] to regain compatibility with this interpret-ation. In Coq, high-level pattern matching is reduced down to eliminators, encoded as primitive case-constructs, which do not allow proving K.

However, we would like to allow K on a specific equality type, which will live in the Prop sort. This way we can hope to get the benefits of pattern-matching in the style of OTT while retaining general compatibility with HoTT. In effect, we will derive this equality with the UIP principle from our general proof-irrelevance construction.

1.2.3 Proof-Irrelevance

1.2.3.1 Historical account The idea that equality of proofs of

proposi-tional statements should be trivial goes back as early as 1975 in Automath [Ned94, Sec. A.4] where Zucker’s goal of formalising classical mathematics motivates the type/prop-distinction, breaking the full propositions/types symmetry of [Mar75]. The idea of proof-irrelevance is attributed to de Bruijn. He identifies that proof-irrelevance is incompatible with inform-ative Σ-eliminations which hence have to be restricted. Indeed, in [Ned94, Sec. B.3] de Bruijn postulates definitional proof-irrelevance for propositions of definitionally equal types, using the logarithm as running example. In D.3, van Benthem Jutting discusses in subsection 4.0.3 the possibility to add proof-irrelevance either as an axiom or to include it in the definitional equality and concludes that only the latter would be sufficiently convenient to support his development.

In extensional theories, this principle is easily added, either by introdu-cing a type constructor for squash-types as in NuPrl, or through subset-types as in PVS. For intentional theories however, integrating proof-irrelevance is delicate.

1.2.3.2 From Semantics to Syntax The first studies of proof-irrelevance

in the intentional setting were semantic models where proofs are interpreted as truth-values. Hofmann constructs a categorical model of CC in [Hof97] where proof-irrelevance is valid, with the goal of defining subset types for specified programs as we have presented them earlier.

1.2.3.3 Observational Type Theory In [Alt99], Altenkirch proposes a setoid model, assuming proof irrelevance and 𝜂 for Σ and Π types, where function extensionality holds while conserving canonicity of normal forms, decidability of type checking and allowing for large eliminations. This later gave rise to the development of Observational Type Theory, in which proof-irrelevance as well as functional extensionality are valid. This type theory departs significantly from traditional foundations by defining not only the definitional equality but also the equality type by recursion over the type-formers. This type equality proceeds by structural analysis of types, which goes drastically against and is incompatible with the idea of univalence, which says that type equality coincides with a much larger type equivalence relation.

1.2.3.4 Modal type theory Pfenning has considered proof-irrelevance as a modality [Pfe01] instead of prop/type-sorting, which is similar to our approach in that the theory is “non-extensional”. On the other hand, it is very different syntactically, as Pfenning has two kinds of application and all binders appear in three versions, whereas we will reflect irrelevance on the level of types.

1.2.3.5 Bracket Types Building upon this work, Awodey and Bauer use a “bracket type” constructor [𝐴] which represents inhabitation of a type 𝐴 while hiding its computational content. This gives a type-based criterion for propositionality. As their main concern is the study of the semantic properties of these bracket types, they work in an extensional type theory. In particular they give an undecidable elimination rule for bracket types.

1.2.3.6 Calculus of Constructions A set-theoretic model focusing on the pitfalls of impredicativity is presented in [MW03]. Like Pfenning’s, this presentation also makes use of sort-, i.e. relevance-tagged binders. This line of work continues with the promised syntactic type theory in [Wer06], where conversion is defined using erasure of propositional content. The equality type is defined in Prop and the reduction of its eliminator is modified to rely on the convertibility of the extracted indices instead of matching on the refl constructor. Werner proves the Church-Rosser property and “very strongly conjectures” strong normalisation. An experimental implementation of this theory was developed for Coq by Sozeau. In [LW11], Lee and Werner build a set-theoretical model of a proof-irrelevant Calculus of Constructions, where the conversion is switched to a typed definitional equality. They do however not prove the equivalence with the untyped system and encounter problems related to the implicit inclusion of Prop into Type. The inclusion is rendered explicit in [HS13], which we will follow. It should simplify such a model construction for our theory.

1.2.3.7 Other Directions There are other works that focus on giving the user a more fine-grained control of what is considered as computationally relevant. They are based on syntactic annotations on the level of binders and on an extraction procedure [BB08; AS12]. They do however not provide the same kind of expressive power as proof-irrelevance, notably with regards to the treatment of irrelevant equality. An alternative notion was studied by Asperti and Guidi [AG12] where PTS are extended with a term constructor that sends a given term to an opaque, irrelevant one of the same type. This

has the advantage of being light on the syntax, but again does not capture full proof-irrelevance.

2 A Proof-Irrelevant Calculus of Constructions

We will now present a proof-irrelevant Calculus of Constructions that draws inspiration from the algebraic presentation of pCIC of Hugo Herbelin and Arnaud Spiwack [HS13] but extends the conversion relation to implement proof-irrelevance.

2.1 Grammar

contexts Γ, Δ ⩴ _{⋅ | Γ, 𝑥∶𝐴}

sorts 𝑠 ⩴ _{Prop | Type𝑖}, 𝑖 ∈ ℕ

variables 𝑣 ∈ 𝒱

terms 𝑡, 𝑢, 𝑣, 𝐴, 𝐵, 𝐶 ⩴ _{𝑠 | 𝑣 | False | True | I |}

𝐴 + 𝐵 | inl 𝐴 | inr 𝐵 | case 𝑡 as 𝑣 return 𝑃 of inl 𝑥 ⇒ 𝑡 | inr 𝑦 ⇒ 𝑢 | ∑_{(𝑣∶𝐴)𝐵 | (𝑡, 𝑢) | pr1𝑡 | pr2𝑡 | ∏(𝑣∶𝐴)𝐵 | 𝜆𝑣∶𝐴. 𝑡 |}

𝜇 𝑣∶ 𝐴 → Type_{𝑖. 𝑡 | fix 𝑣 (⃖⃖⃖⃖⃖⃗𝑣∶𝐴) ⇒ 𝑡 | 𝑡 𝑢 |} ‖𝐴‖ | |𝑡| | let |𝑣| ≔ 𝑢 in 𝑡 | {𝐴} | prf𝑡 | 𝑡.prf

2.2 Judgements

There are five different kinds of judgements:

Γ ctx Γ ⊢ 𝑡 ∶ 𝐴 Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴 sp_𝑥𝐴 Γ ⊢ guarded 𝑓 𝑥₁… 𝑥_𝑛 ⇒ 𝑡

Only the first three of these will be detailed in this work. The judgements of strict positivity sp_𝑥𝐹 of a family 𝐹 with respect to a variable 𝑥 and guardedness will be left abstract (c.f. subsubsection 2.4.14). We do require them to be decidable.

2.3 Contexts

⋅ ctx ctx-emp

𝑥₁∶𝐴₁, … , 𝑥_𝑛−1∶𝐴_𝑛−1 ⊢ 𝐴_𝑛 ∶ Type_𝑖

Restricting the sort of the types of variables to be Type_𝑖 ensures that all propositional variables are tagged with {·}. This bears resemblance with Werner’s, Pfenning’s and Abel’s presentation of irrelevance, where all bind-ers are annotated with the (ir-) relevance of the variables that are bound, except that ours is a type-based criterion.

2.4 Types

2.4.1 Generalities: Shape of Rules

For each type-former, we give its formation rule, specifying the requirements for a valid type, its introduction rule, describing the terms inhabiting it. The corresponding elimination rule or induction principle describes how a term of a type can be used, the computation rule gives definitional equalities, explaining the interaction of the elimination rules with the results of the introduction rules. Finally, there may be a uniqueness principle, which is a judgemental equality explaining how every element of the type is uniquely determined by the results of elimination rules applied to it.

2.4.2 Variables

(𝑥₁∶𝐴₁, … , 𝑥_𝑛∶𝐴_𝑛) ctx 1 ≤ 𝑖 ≤ 𝑛 𝑥₁∶𝐴₁, … , 𝑥_𝑛∶𝐴_𝑛⊢ 𝑥_𝑖∶ 𝐴_𝑖 Vble

2.4.3 Sorts

The types of types are called sorts. Compared to the traditional present-ation of CC, the sort Set corresponds to Type₀, Type_𝑖 to Type_𝑖 and there is an impredicative sort Prop, at the bottom of the hierarchy but excluded from the implicit cumulativity.

Γ ctx

Γ ⊢ Prop ∶ Type₁ Prop-Ax

Γ ctx

Γ ⊢ Type_𝑖∶ Type_𝑖+1 Type-Ax

Γ ⊢ 𝐴 ∶ Type_𝑖

Γ ⊢ 𝐴 ∶ Type_𝑖+1 Type-cumul

Note that the rule for cumulativity is derivable from the definition of conversion given in subsection 2.5.

2.4.4 The type of Absurdity False

Γ ctx

Γ ⊢ False ∶ Prop False-form

Γ ⊢ 𝐶 ∶ 𝑠 Γ ⊢ 𝑡 ∶ False

Γ ⊢ !_𝐶𝑡 ∶ 𝐶 False-elim

Γ ⊢ 𝑢 ∶ False Γ ⊢ 𝑣 ∶ False

Γ ⊢ 𝑢 ≡ 𝑣 ∶ False False-irrel

As inductive types are generated by their constructors, and we do not give any for False, it is an empty type. The second premise of the elimination rule assumes that we can construct a term 𝑡 of type False, which is absurd. Hence the context Γ is contradictory and we can derive anything. In logic, this principle is known as ex falso quadlibet, in a program this corresponds to an unreachable point. For example, it can be used in a dead branch of a case construct. This illustrates why there is no computation rule corresponding to this elimination. Correspondingly, we make it a proof-irrelevant as it has no computational content.

We intend to give a type-based conversion algorithm to decide the judge-ment of definitional equality, in the spirit of [AMS07]. This enables us to give extensionally flavoured rules such as False-irrel, which could not be implemented with an untyped conversion, which does not have access to the information that both 𝑢 and 𝑣 are inhabitants of False.

2.4.5 The Trivial Type True

Γ ctx

Γ ⊢ True ∶ Prop True-form

Γ ctx

Γ ⊢ I ∶ True True-intro

Γ ⊢ 𝑢 ∶ True

Γ ⊢ 𝑢 ≡ I ∶ True True-uniq

Like for False, there is a uniqueness rule for True: terms of type True are all convertible to I and thus irrelevant. The absence of an elimination rule is easily explained in terms of irrelevance: Any type 𝐴[𝑥] constructed depending on an instance of True 𝑥∶True is convertible by True-irrel to 𝐴[I/𝑋]. Therefore, any term implementing 𝐴[𝑢] for a particular 𝑢∶True also implements 𝐴[𝑣] for any 𝑣∶True.

2.4.6 Disjoint Sums

Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ 𝐵 ∶ Type_𝑗 (Type_𝑖, Type_𝑗, 𝑠₃) ∈ ℛ

Γ ⊢ 𝐴 + 𝐵 ∶ 𝑠₃ +-form Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ 𝐵 ∶ Type_𝑗 Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ inl 𝑎 ∶ 𝐴 + 𝐵 +-intro1 Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ 𝐵 ∶ Type_𝑗 Γ ⊢ 𝑏 ∶ 𝐵 Γ ⊢ inr 𝑏 ∶ 𝐴 + 𝐵 +-intro2 Γ, 𝑧∶𝐴 + 𝐵 ⊢ 𝐶 ∶ 𝑠 Γ, 𝑥∶𝐴 ⊢ 𝑢 ∶ 𝐶[inl 𝑥/𝑧] Γ, 𝑦∶𝐵 ⊢ 𝑣 ∶ 𝐶[inr 𝑦/𝑧] Γ ⊢ 𝑡 ∶ 𝐴 + 𝐵

Γ ⊢ case 𝑡 as 𝑧 return 𝐶 of inl 𝑥 ⇒ 𝑢 | inr 𝑦 ⇒ 𝑣 ∶ 𝐶[𝑡/𝑧] +-elim

Γ, 𝑧∶𝐴 + 𝐵 ⊢ 𝐶 ∶ 𝑠

Γ, 𝑥∶𝐴 ⊢ 𝑢 ∶ 𝐶[inl 𝑥/𝑧] Γ, 𝑦∶𝐵 ⊢ 𝑣 ∶ 𝐶[inr 𝑦/𝑧] Γ ⊢ 𝑎 ∶ 𝐴

Γ ⊢ case inl 𝑎 as 𝑧 return 𝐶 of inl 𝑥 ⇒ 𝑢 | inr 𝑦 ⇒ 𝑣 ≡ 𝑢[𝑎/𝑥] ∶ 𝐶[inl 𝑎/𝑧] +-comp1

Γ, 𝑧∶𝐴 + 𝐵 ⊢ 𝐶 ∶ 𝑠

Γ, 𝑥∶𝐴 ⊢ 𝑢 ∶ 𝐶[inl 𝑥/𝑧] Γ, 𝑦∶𝐵 ⊢ 𝑣 ∶ 𝐶[inr 𝑦/𝑧] Γ ⊢ 𝑏 ∶ 𝐵

Γ ⊢ case inr 𝑏 as 𝑧 return 𝐶 of inl 𝑥 ⇒ 𝑢 | inr 𝑦 ⇒ 𝑣 ≡ 𝑣[𝑏/𝑦] ∶ 𝐶[inr 𝑏/𝑧] +-comp2 Note that disjoint sums are always informative, even if they are con-structed over two proof objects. Therefore, their sort has to be at least Type₀.

2.4.7 Π-Types: Dependent Functions

Γ ⊢ 𝐴 ∶ Type_𝑖 Γ, 𝑥∶𝐴 ⊢ 𝐵 ∶ 𝑠₂ (Type_𝑖, 𝑠₂, 𝑠₃) ∈ ℛ_Π Γ ⊢ ∏_{(𝑥∶𝐴)}𝐵 ∶ 𝑠₃ Π-form Γ, 𝑥∶𝐴 ⊢ 𝑡 ∶ 𝐵 Γ ⊢ 𝜆𝑥∶𝐴. 𝑡 ∶ ∏_{(𝑥∶𝐴)}𝐵 Π-intro Γ ⊢ 𝑢 ∶ ∏_{(𝑥∶𝐴)}𝐵 Γ ⊢ 𝑣 ∶ 𝐴 Γ ⊢ 𝑢 𝑣 ∶ 𝐵[𝑣/𝑥] Π-elim Γ, 𝑥∶𝐴 ⊢ 𝑡 ∶ 𝐵 Γ ⊢ 𝑣 ∶ 𝐴 Γ ⊢ (𝜆𝑥∶𝐴. 𝑡) 𝑣 ≡ 𝑡[𝑣/𝑥] ∶ 𝐵[𝑣/𝑥] Π-comp

Γ ⊢ 𝑡 ∶ ∏_{(𝑥∶𝐴)}𝐵 Γ ⊢ 𝑡 ≡ (𝜆𝑥∶𝐴. 𝑡 𝑥) ∶ ∏_{(𝑥∶𝐴)}𝐵 Π-uniq where ℛ _{= { (𝑠1}, 𝑠₂, max (𝑠₁, 𝑠_{2)) }} ℛ_{𝑖𝑚𝑝𝑟𝑒𝑑}= { (𝑠, Prop, Prop) } ℛ_Π = ℛ_{𝑖𝑚𝑝𝑟𝑒𝑑}∪ ℛ

max Type_𝑖Type_𝑗 = Type_{max 𝑖 𝑗} max 𝑠 Prop = max Prop 𝑠 = 𝑠

Our dependent function types that allow to quantify only over types of sort Type, as dictated by the ctx-ext rule, but we let the codomain range over Prop as well to allow the construction of impredicative quantifications. It seems possible to get a more uniform framework where the codomain is restricted to Type as well and removing ℛ_{𝑖𝑚𝑝𝑟𝑒𝑑}yet retaining impredicativity, using truncation of the respective lifted domain/codomain, but we did not explore this idea in depth yet. We have the usual 𝛽−rule and 𝜂−conversion.

In the special case of non-dependent functions, we will use the usual arrow-abbreviation.

𝐴 → 𝐵 ∶≡ ∏_{(_∶𝐴)}𝐵

2.4.8 Σ-Types: Dependent Pairs

Γ ⊢ 𝐴 ∶ Type_𝑖 Γ, 𝑥∶𝐴 ⊢ 𝐵 ∶ 𝑠₂ (Type_𝑖, 𝑠₂, 𝑠₃) ∈ ℛ Γ ⊢ ∑_{(𝑥∶𝐴)}𝐵 ∶ 𝑠₃ Σ-form Γ, 𝑥∶𝐴 ⊢ 𝐵 ∶ 𝑠 Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ 𝑏 ∶ 𝐵[𝑎/𝑥] Γ ⊢ (𝑎, 𝑏) ∶ ∑_{(𝑥∶𝐴)}𝐵 Σ-intro Γ ⊢ 𝑡 ∶ ∑_{(𝑥∶𝐴)}𝐵 Γ ⊢ pr₁𝑡 ∶ 𝐴 Σ-elim-1 Γ ⊢ 𝑡 ∶ ∑_{(𝑥∶𝐴)}𝐵 Γ ⊢ pr₂𝑡 ∶ 𝐵[pr₁𝑡 /𝑥] Σ-elim-2 Γ ⊢ (𝑎, 𝑏) ∶ ∑_{(𝑥∶𝐴)}𝐵 Γ ⊢ pr₁(𝑎, 𝑏) ≡ 𝑎 ∶ 𝐴 Σ-comp-1 Γ ⊢ (𝑎, 𝑏) ∶ ∑_{(𝑥∶𝐴)}𝐵 Γ ⊢ pr₂(𝑎, 𝑏) ≡ 𝑏 ∶ 𝐵[𝑎/𝑥] Σ-comp-2 Γ ⊢ 𝑡 ∶ ∑_{(𝑥∶𝐴)}𝐵 Γ ⊢ (pr₁𝑡, pr₂𝑡) ≡ 𝑡 ∶ ∑_{(𝑥∶𝐴)}𝐵 Σ-uniq

As the name indicates, the second component of a dependent pair may be dependent on its first component. Because of the restriction of the sorts of types of variables added to the context in ctx-ext of subsection 2.3, the first component of a pair has to be of sort Type. The elimination of a pair is defined using projections to its first and second components. This allows us to define a uniqueness rule, known as surjective pairing, the canonical form being the constructor applied to the projections. Like for dependent functions, we define a notation for the non-dependent case:

(𝐴 ∗ 𝐵) ∶≡ ∑_{(_∶𝐴)}𝐵 2.4.9 Equality Types Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ 𝑏 ∶ 𝐴 Γ ⊢ 𝑎 =_𝐴𝑏 ∶ Type_𝑖 =-form Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ refl_𝐴𝑎 ∶ 𝑎 =_𝐴𝑎 =-intro Γ, 𝑥∶𝐴, 𝑦∶𝐴, 𝑝∶𝑥 =_𝐴𝑦 ⊢ 𝐶 ∶ Type_𝑖 Γ, 𝑧∶𝐴 ⊢ 𝑐 ∶ 𝐶[𝑧/𝑥, 𝑧/𝑦, refl_𝐴𝑧/𝑝] Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ 𝑏 ∶ 𝐴 Γ ⊢ 𝑒 ∶ 𝑎 =_𝐴𝑏 Γ ⊢ ind_=A𝑥.𝑦.𝑝.𝐶 𝑧.𝑐 𝑎 𝑏 𝑒 ∶ 𝐶[𝑎/𝑥, 𝑏/𝑦, 𝑒/𝑝] =-elim Γ, 𝑥∶𝐴, 𝑦∶𝐴, 𝑝∶𝑥 =_𝐴𝑦 ⊢ 𝐶 ∶ Type_𝑖 Γ, 𝑧∶𝐴 ⊢ 𝑐 ∶ 𝐶[𝑧/𝑥, 𝑧/𝑦, refl_𝐴𝑧/𝑝] Γ ⊢ 𝑎 ∶ 𝐴

Γ ⊢ ind_=A𝑥.𝑦.𝑝.𝐶 𝑧.𝑐 𝑎 𝑎 refl_𝐴𝑎 ≡ 𝑐[𝑎/𝑧] ∶ 𝐶[𝑎/𝑥, 𝑎/𝑦, refl_𝐴𝑎/𝑝] =-comp In ind₌

A, 𝑥, 𝑦, and 𝑝 are bound in 𝐶, and 𝑧 is bound in 𝑐.

The inductive type family of equalities over a type 𝐴 is defined as the smallest reflexive relation over 𝐴. This is witnessed by the fact that it is generated by a single constructor, refl. Its elimination principle is clearly justified by the fact that there is a single constructor. From this definition, we can derive the Leibnitz principle that equality is substitutive and show that it is an equivalence.

Henceforth we will avoid using the terminology “propositional equality” for the general equality type. Traditionally, it is thought that proposi-tions and types should be identified through the so-called Curry-Howard

isomorphism. But in our setting we have a clear distinction between the

types living in the sort of propositions Prop and the hierarchy of sorts Type, and Curry-Howard correspondence seems like a more appropriate name.

Note that two types whose equality is witnessed by a proof in a closed con-text are necessarily definitionally equal, but this does of course not hold for open terms. The reason for the distinction is that definitional equality should be a decidable property, while propositional equality captures logically much stronger statements: For instance, the judgement 𝑛𝑎𝑡∶Set, (+)∶𝑛𝑎𝑡 → 𝑛𝑎𝑡 → 𝑛𝑎𝑡 ⊢ 0 + 𝑛 ≡ 𝑛 ∶ 𝑛𝑎𝑡 holds definitionally, i.e. by computation of plus and is not witnessed by a term. On the other hand, 𝑛𝑎𝑡∶Set, (+)∶𝑛𝑎𝑡 → 𝑛𝑎𝑡 → 𝑛𝑎𝑡 ⊢ 𝑛 + 0 ≡ 0 + 𝑛 ∶ 𝑛𝑎𝑡 does not hold by computation, but we can give a term that inhabits the type 𝑛 + 0 =_𝑛𝑎𝑡 0 + 𝑛, building on the induction principle for 𝑛𝑎𝑡.

We do not postulate a uniqueness principle for equality types, known as UIP (“uniqueness of identity proofs”), so as to remain compatible with Coq and not to exclude possible models, such as the groupoid interpretation. This allows us to add axioms that would themselves be incompatible with UIP, such as univalence.

Nonetheless it is possible to define a proof-irrelevant notion of equality, by using the type of truncations. Naturally there is a price to pay for irrelevance, and the elimination rule for truncated equalities is weaker than for proof-relevant equalities, as detailed in subsubsection 2.4.11.

2.4.10 Lifting Γ ⊢ 𝐴 ∶ Prop Γ ⊢ {𝐴} ∶ Type₀ Lift-form Γ ⊢ 𝐴 ∶ Prop Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ prf𝑎 ∶ {𝐴} Lift-intro Γ ⊢ 𝑎 ∶ {𝐴} Γ ⊢ 𝑎.prf ∶ 𝐴 Lift-elim Γ ctx Γ ⊢ (prf𝑎).prf ≡ 𝑎 ∶ 𝐴 Lift-comp Γ ⊢ 𝑢 ∶ {𝐴} Γ ⊢ 𝑣 ∶ {𝐴} Γ ⊢ 𝑢 ≡ 𝑣 ∶ {𝐴} Lift-irrel

Lifting can be seen as the channel of communication from Prop to Type, which allows propositions to be treated as data. In particular, we allow functions to abstract over lifted propositions. This guarantees us that any variable 𝑥 or 𝑦 of propositional type 𝑃 ∶Prop can enter the context only after it is lifted to {𝑃 }. In turn, the irrelevance of the variable is preserved. This

has a practical advantage when checking the convertibility 𝑥 and 𝑦, because their type is tagged as lifted, and they become definitionally equal trivially.

Γ, 𝑃 ∶Prop, 𝑥 𝑦∶ {𝑃 } ⊢ 𝑥 ≡ 𝑦 ∶ {𝑃 }

Let us compare this restriction to the situation where we allow to intro-duce variables whose type may not only be of sort Type but also variables with a type of sort Prop. Consider the situation where a type of sort Prop has been introduced in the context and we want to check the convertibility of two variables inhabiting it.

Γ, 𝑃 ∶Prop, 𝑥 𝑦∶𝑃 ⊢ 𝑥 ≡ 𝑦 ∶ 𝑃

We do not have any criterion neither about the shape of the terms nor about their type that would allow us to conclude: There is no local evid-ence for this judgement. One could try to determine the sort of 𝑃 and conclude that 𝑥 and 𝑦 should be convertible based on the fact that they are hypothetically propositional, but then the conversion would no longer be type-directed. 2.4.11 Truncation Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ ‖𝐴‖ ∶ Prop Trunc-form Γ ⊢ 𝑎 ∶ 𝐴 Γ ⊢ 𝐴 ∶ Type_𝑖 Γ ⊢ |𝑎| ∶ ‖𝐴‖ Trunc-intro Γ ⊢ 𝑎 ∶ ‖𝐴‖ Γ ⊢ 𝑃 ∶ Prop Γ, 𝑥∶𝐴 ⊢ 𝑝 ∶ 𝑃 Γ ⊢ let |𝑥| ≔ 𝑎 in 𝑝 ∶ 𝑃 Trunc-elim Γ ⊢ let |𝑥| ≔ 𝑎 in 𝑝 ∶ 𝑃 Γ ⊢ let |𝑥| ≔ |𝑎| in 𝑝 ≡ 𝑝[𝑎/𝑥] ∶ 𝑃 Trunc-comp Γ ⊢ 𝑥 ∶ ‖𝐴‖ Γ ⊢ 𝑦 ∶ ‖𝐴‖ Γ ⊢ 𝑥 ≡ 𝑦 ∶ ‖𝐴‖ Trunc-irrel

Truncation is a type constructor turning an arbitrary informative type into a proposition. Conceptually, a term of a truncated type witnesses the fact that the type is inhabited, but does not provide any information about

how it was constructed. Two terms in a truncated type are definitionally

equal, so this precisely implements proof-irrelevance at this type. The ra-tionale behind the elimination rule is that we allow introspection of the

term only to build an inhabitant of another proposition, which in turn will be uninformative itself.

In [AB04], the bracket type has the following elimination rule: Γ ⊢ 𝑎 ∶ ‖𝐴‖ Γ ⊢ 𝑃 ∶ 𝑠

Γ, 𝑥∶𝐴 ⊢ 𝑝 ∶ 𝑃 Γ, 𝑥∶𝐴, 𝑦∶𝐴 ⊢ 𝑝 ≡ 𝑝[𝑦/𝑥] ∶ 𝑃

Γ ⊢ let |𝑥| ≔ 𝑎 in 𝑝 ∶ 𝑃 Awodey-Bauer This rule relies on an extensional equality to ensure that all usages of 𝑥 are irrelevant, as expressed by the premise 𝑝 ≡ 𝑝[𝑦/𝑥], which can require arbitrarily complex reasoning using the propositional equality.

In contrast to their construction, the premises of our elimination rule are decidable, as we have a sorting condition on the type 𝑃 we eliminate into. This ensures that 𝑝 is itself irrelevant, even if it makes relevant use of 𝑥.

Indeed, in their system all propositionally irrelevant types are treated as definitionally irrelevant. In other words, irrelevance is reflective. In our case, the user has to be explicit about when she wants to use irrelevance.

In contrast to the propositions of homotopy type theory, the Prop sort captures only the “strict” propositions. Homotopy propositions are defined as those types 𝐴, such that hProp 𝐴 ∶≡ ∏_{(𝑥 𝑦∶𝐴)}𝑥 =_𝐴 𝑦, while for strict propositions all of the inhabitants have to be equal definitionally.

For instance we can prove by induction that 𝐼𝑑 𝑛𝑎𝑡 is decidable, i.e. ∏_{(𝑛 𝑚∶𝑛𝑎𝑡)}𝑛 =_𝑛𝑎𝑡 𝑚 + ¬(𝑛 =_𝑛𝑎𝑡 𝑚), hence from Hedberg’s theorem [Hed98], it follows that ∏_{(𝑚 𝑛∶𝑛𝑎𝑡)}hProp (𝑥 =_𝑛𝑎𝑡 𝑦). In our system, only the truncated equality over natural numbers is a proposition. But both h-propositions and our strict propositions can cohabit in the same system, thanks to the separation of the universe of strict propositions from that of general types.

2.4.12 Truncated Equality Γ ⊢ 𝑒 ∶ {‖𝑎 =𝐴𝑏‖} Γ, 𝑥∶𝐴, 𝑦∶𝐴, 𝑝∶ {‖𝑥 =𝐴𝑦‖} ⊢ 𝐶 ∶ 𝑠 Γ, 𝑧∶𝐴 ⊢ 𝑐 ∶ 𝐶 [𝑧/𝑥, 𝑧/𝑦, prf|refl𝐴𝑧|/𝑝] Γ ⊢ ind_‖=‖𝑥.𝑦.𝑝.𝐶 𝑧.𝑐 𝑎 𝑏 𝑒 ∶ 𝐶[𝑎/𝑥, 𝑏/𝑦, 𝑒/𝑝] trunc-=-elim Γ ⊢ 𝑎 ≡ 𝑏 ∶ 𝐴 Γ ⊢ ind_‖=‖𝑥.𝑦.𝑝.𝐶 𝑧.𝑐 𝑎 𝑏 𝑒 ≡ 𝑐[𝑎/𝑧] ∶ 𝐶[𝑎/𝑥, 𝑎/𝑦, 𝑒/𝑝] trunc-=-comp In ind_‖=‖, 𝑥, 𝑦, and 𝑝 are bound in 𝐶, and 𝑧 is bound in 𝑐.

Drawing inspiration from the presentation of the substitution principle of equality in [AMS07] and [Wer06], we can introduce a special elimination principle for truncated equalities. It differs from the principle derivable for any truncated type in that it allows to eliminate truncated equalities to Type. This allows to write programs that make informative use of the indices 𝑎, 𝑏, while still preventing them from looking at the original truncated proof. The computation rule correspondingly does not depend on the proof-term but relies on the definitional equality of the indices. This corresponds to Werner’s reduction rule for the equality eliminator Eq_rec. Note that this truncated equality obviously enjoys Streicher’s K axiom, as it follows from proof-irrelevance.

2.4.13 Inductive Fixpoint

Γ ⊢ 𝐴 ∶ 𝑠 Γ, 𝑋∶𝐴 → Type_𝑖⊢ 𝐹 ∶ 𝐴 → Type_𝑖 sp_𝑋𝐹

Γ ⊢ 𝜇 𝑋∶ 𝐴 → Type_𝑖. 𝐹 ∶ 𝐴 → Type_𝑖 𝜇-form

Γ ⊢ 𝜇 𝑋∶ 𝐴 → Type_𝑖. 𝐹 ∶ 𝐴 → Type_𝑖

Γ ⊢ 𝜇 𝑋∶ 𝐴 → Type_𝑖. 𝐹 ≡ 𝐹 [𝜇 𝑋∶ 𝐴 → Type_𝑖. 𝐹 / 𝑋] ∶ 𝐴 → Type_𝑖 𝜇-comp Directly following the presentation of [HS13], we give a least fixpoint operator over types, that allows to construct strictly positive inductive fam-ilies and also allow free folding and unfolding of the fixpoint operator. In contrast, we do not allow to construct fixpoints directly in Prop, as it goes against our concept of irrelevance of propositions. A fixpoint over a propos-itional type would contradict the idea that any two proofs of a proposition should be indistinguishable inside the system. The computational behaviour of a fixpoint over a proof would clearly have to depend on its exact shape, as is explained in paragraph 2.6.3.2. 2.4.14 Fixpoint on Functions Γ ⊢ ∏_(𝑥 1∶𝐴1)… ∏(𝑥𝑛∶𝐴𝑛)𝐵 ∶ 𝑠 Γ, 𝑓 ∶∏_(𝑥 1∶𝐴1)… ∏(𝑥𝑛∶𝐴𝑛)𝐵, 𝑥1∶𝐴1, …, 𝑥𝑛∶𝐴𝑛⊢ 𝑡 ∶ 𝐵 Γ ⊢ guarded 𝑓 𝑥₁… 𝑥_𝑛 ⇒ 𝑡 Γ ⊢ f ix 𝑓 (𝑥₁∶𝐴₁) … (𝑥_𝑛∶𝐴_𝑛) ⇒ 𝑡 ∶ ∏_(𝑥 1∶𝐴1)… ∏(𝑥𝑛∶𝐴𝑛)𝐵 fix-intro

Once we have defined inductive types, we can write recursive functions over them. Logically speaking, this allows us to realise their induction prin-ciples. To ensure their termination, we require that these definitions respect

the structural order of the data-type definitions we recurse over, which is verified by the checker. The sophistication of this guardedness-checker is a design choice of the system. As it is part of the trusted code base, the Coq system implements a relatively concise structural criterion, while Agda uses a more elaborate type-based analysis. We plan to follow the tradition of Coq and use a simple guard-condition, but we can use the well-known method of wrapping a complex recursion into a structural recursion over the accessibility predicate Acc (c.f. paragraph 2.6.3.2).

2.5 Definitional Equality Γ ⊢ 𝑡 ∶ 𝐴 Γ ⊢ 𝐵 ∶ 𝑠 Γ ⊢ 𝐴 ≤ 𝐵 ∶ 𝑠 Γ ⊢ 𝑡 ∶ 𝐵 �-conv Γ ⊢ 𝐴₁∶ 𝑠 Γ ⊢ 𝐴₁≡ 𝐴₂ ∶ 𝑠 Γ, 𝑥∶𝐴₁⊢ 𝐵₁≤ 𝐵₂∶ 𝑠′ Γ ⊢ ∏_(𝑥∶𝐴 1)𝐵1 ≤ ∏(𝑥∶𝐴2)𝐵2 ∶ 𝑠 ′ �-Π 𝑖 ≤ 𝑗

Γ ⊢ Type_𝑖≤ Type_𝑗 ∶ 𝑠 �-Type

Γ ⊢ 𝐴 ≤ 𝐵 ∶ 𝑠 Γ ⊢ 𝐵 ≤ 𝐶 ∶ 𝑠 Γ ⊢ 𝐴 ≤ 𝐶 ∶ 𝑠 ≤-trans Γ ⊢ 𝐴 ≡ 𝐵 ∶ 𝑠 Γ ⊢ 𝐴 ≤ 𝐵 ∶ 𝑠 ≡-� Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴 Γ ⊢ 𝐵 ∶ 𝑠 Γ ⊢ 𝐴 ≤ 𝐵 ∶ 𝑠 Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐵 ≡-compat Γ ⊢ 𝑡 ∶ 𝐴 Γ ⊢ 𝑡 ≡ 𝑡 ∶ 𝐴 ≡-refl Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴 Γ ⊢ 𝑣 ≡ 𝑢 ∶ 𝐴 ≡-sym Γ ⊢ 𝑢 ≡ 𝑣 ∶ 𝐴 Γ ⊢ 𝑣 ≡ 𝑡 ∶ 𝐴 Γ ⊢ 𝑢 ≡ 𝑡 ∶ 𝐴 ≡-trans

The cumulativity relation ≤ used in the conversion rule formalises sub-typing of dependent products with respect to the universe hierarchy. It includes the definitional equality relation ≡. The definitional equality ≡ contains all of the equations given in the presentation of the types and is a congruence for all term- and type-formers.

We will decide this judgement using a normalisation-by-evaluation al-gorithm, that compares terms in their canonical form according to their types. This is however work in progress and we do not have a definition of such an algorithm yet.

2.6 Derived Types

This terminates the presentation of the core type theory, but a day-to-day Coq user would hardly recognise his favourite proof-assistant here. Yet we argue that everything is right there and we shall show how we can derive the familiar concepts she is missing. But fear not, this is simply a different presentation and not a set of clumsy encodings, and we have good hope that the surface language of an implementation of �Coq that will be presented to the user will be very close to the convenience of the current syntax, while allowing the power-user to look what is happening under the hood.

2.6.1 Finite Types

Somewhat contrary to common practice, we do not define falsehood and trivial truth as the truncations of the empty type 0 and respectively the unit 1, but rather take them as primitive and derive 0 and 1 from their corresponding propositions.

The reason for this has to do with the elimination behaviour of truth and falsehood, which can be eliminated into arbitrary sorts, even though they are propositions. In fact it has no importance whether 1 is defined in terms of True or the contrary, but we follow the choice made for False for homogeneity. Care has to be taken with regards to False, if instead of False∶Prop we take 0∶Type₀ as primitive and define falsehood as its trunca-tion False ∶≡ ‖0‖∶Prop, we run into problems when we want to eliminate propositional contradictions into higher sorts. We would like to write the following elimination: Γ ⊢ 𝐻 ∶ 𝑃 → False Γ ⊢ 𝑝 ∶ 𝑃 Γ ⊢ 𝐻 𝑝 ∶ ‖0‖ Π-elim Γ ⊢ 𝐴 ∶ Type_𝑖 Γ, 𝑓 ∶0 ⊢ 𝐴 ∶ Type_𝑖 Γ, 𝑓 ∶0 ⊢ 𝑓 ∶ 0 Γ, 𝑓 ∶0 ⊢ !_𝐴𝑓 ∶ 𝐴 0-elim Γ ⊢ let |𝑓 | ≔ (𝐻 𝑝) in !_𝐴𝑓 ∶ 𝐴 Trunc-elim

But one of the premises of Trunc-elim is violated: 𝐴 is not of sort Prop. We could add such an elimination rule, but it would be quite ad-hoc because it makes the system less orthogonal.

On the other hand, the elimination of {False} to 𝐴∶Type𝑖is well-behaved:

𝐴∶Type_𝑖, 𝑡∶ {False} ⊢ 𝐴 ∶ Type𝑖

𝐴∶Type_𝑖, 𝑡∶ {False} ⊢ 𝑡 ∶ {False}

𝐴∶Type_𝑖, 𝑡∶ {False} ⊢ 𝑡.prf ∶ False Lift-elim 𝐴∶Type_𝑖, 𝑡∶ {False} ⊢ !𝐴𝑡.prf ∶ 𝐴

False-elim

Therefore, the empty type 0 is simply defined as the lifting of the ab-surdity, and the unit type 1 as the lifting of triviality.

0∶≡ {False} , 1∶≡ {True} , ⋆ ∶≡ prfI

With this design, the only propositions that allow for eliminations into Type are False, True and truncated equalities as presented in subsubsec-tion 2.4.11. All of these are in fact irrelevant for the run-time behaviour of closed programs. In the case where a term of type False is eliminated, it can safely be erased, as we are at a point of the program that has a contradictory context and therefore should be unreachable. Terms of type True have no computational content whatsoever. The elimination of a truncated equality only allows to use the information on its indices inside the term, leaving the equality-proof opaque which can hence be erased.

2.6.2 Booleans

2∶≡ 1 + 1, 0₂ ∶≡ inl ⋆, 1₂ ∶≡ inr ⋆

Disjoint sums allow for large eliminations, and we can thus prove, as one would hope that 0₂ ≠ 1₂.

2.6.3 Inductive Types and Families

We now have all the tools required to implement the usual inductive types. Non-dependent inductive types like the natural numbers can conveni-ently be written as nullary fixed points:

𝜇 𝑋∶Type_𝑖. 𝑡 ∶≡ (𝜇 𝑌 ∶ 1 → Type_𝑖. 𝜆_∶1. 𝑡[𝑌 ⋆ /𝑋]) ⋆

For indexed inductive types, we will use truncated equalities to constrain the indices of the recursive arguments.

2.6.3.1 Natural Numbers In Coq, we can give a definition of the nat-ural numbers with two constructors, 𝑂 and 𝑆:

Inductive nat : Set := O : nat | S : nat → nat

The natural numbers are defined as the following fixpoint, and the two constructors are defined such as to inhabit this fixpoint.

𝑛𝑎𝑡 ∶≡ 𝜇 𝑋∶Type₀. 1 + 𝑋 O ∶≡ inl ⋆ ∶ 1 + 𝑛𝑎𝑡

S ∶≡ 𝜆(𝑛 ∶ 𝑛𝑎𝑡). inr 𝑛 ∶ 1 + 𝑛𝑎𝑡

The usual recursion principle nat_rect over Type is now derivable and can be used to define the induction principle nat_ind over Prop.

nat_rect ∶≡ 𝜆(𝑃 ∶𝑛𝑎𝑡 → Type) (𝑓₀∶𝑃 0) (𝑓_𝑆∶∏_{(𝑛∶𝑛𝑎𝑡)}𝑃 𝑛 → 𝑃 (S 𝑛)).

fix 𝐹 (𝑛∶𝑛𝑎𝑡) ⇒ case 𝑛 as 𝑥 return 𝑃 𝑥 of inl _ ⇒ 𝑓₀ | inr 𝑚 ⇒ 𝑓_𝑆𝑚 (𝐹 𝑚) nat_ind ∶≡ 𝜆(𝑃 ∶𝑛𝑎𝑡 → Prop) (𝑝₀∶ {𝑃 0}) (𝑝_𝑆∶∏_{(𝑚∶𝑛𝑎𝑡)}{𝑃 𝑚} → {𝑃 (S 𝑚)}).

nat_rect (𝜆𝑛∶𝑛𝑎𝑡. {𝑃 𝑛}) 𝑝₀𝑝_𝑆

2.6.3.2 Acc: Accessibility Predicates Our decision to keep the guard-condition as simple as possible means that we can only do structural recur-sion. But many recursive functions one would naturally write in a functional programming language are based on well-founded recursion instead. Take for example the following implementation of euclidean division:

let rec div a b = if a < b then 0, a

else let q, r = div (a - b) b in q + 1, r

The recursive call is made on 𝑎 − 𝑏, which we know is smaller than 𝑎 if 0 < 𝑏. Combined with a proof that < is a well-founded order, we can use the accessibility predicate acc to implement div as a structural recursion. We will not dwell into the details of how this encoding can be achieved [BC04]. However, let us analyse why Acc can not be a proposition:

From this definition, we can derive a fixpoint operator with the following type:

∏_{(𝐴∶Type)}∏_{(𝑃 ∶𝐴 → Type)}∏_{(𝑅∶𝐴 → 𝐴 → 𝑠)}∏_(𝑎∶∏

(𝑥∶𝐴)Acc 𝑅𝑥)∏(𝑓 ∶∏(𝑥∶𝐴)(∏(𝑦∶𝐴)𝑅 𝑦 𝑥 → 𝑃 𝑦) → 𝑃 𝑥)∏(𝑥∶𝐴)𝑃 𝑥

The meaning of this type is that for a type 𝐴 and a relation 𝑅 over it, as-suming that we have an accessibility proof 𝑎 for all 𝑥, computes 𝑃 𝑥 for any 𝑥, as long as it is provided with a function 𝑓 that takes an 𝑥 and a function that computes the recursive calls for any 𝑦 lower than 𝑥. The computational content of this is a recursion over the accessibility proof. Assuming that we allow accessibility proofs to live in Prop, a closed proof term will be convert-ible to a hypothetical one. Now the normal forms of a definition applied to each of the two different proofs will generally not coincide, although we expect them to always be identified, as we require that convertibility is a congruence for application. The problem does not occur when 𝐴𝑐𝑐 is defined in Type. We hope to be able to modify the extraction mechanism so as to eliminate the accessibility argument from the extracted code by an explicit annotation.

2.6.4 General Inductive Types

The algebraic presentation allows the definition of indexed inductive families. For more sophisticated inductive definitions, like mutual or nested inductive families, it is claimed that they can be encoded using techniques similar to those presented by Paulin-Mohring in [Pau96]. However, given the new treatment of propositions this conjecture needs to be studied thoroughly.

3 Logic

We can interpret standard first order predicate logic in our universe of pro-positions as follows:

⟦⊥⟧ ∶≡ False ⟦⊤⟧ ∶≡ True ⟦𝐴 ∧ 𝐵⟧ ∶≡ ‖{⟦𝐴⟧} ∗ {⟦𝐵⟧}‖ ⟦𝐴 ∨ 𝐵⟧ ∶≡ ‖{⟦𝐴⟧} + {⟦𝐵⟧}‖ ⟦𝐴 ⇒ 𝐵⟧ ∶≡ {⟦𝐴⟧} → ⟦𝐵⟧ ⟦∀𝑥∶𝐴, 𝐵⟧ ∶≡ ∏_{(𝑥∶𝐴)}⟦𝐵⟧ ⟦∃𝑥∶𝐴, 𝐵⟧ ∶≡ ‖∑(𝑥∶𝐴)⟦𝐵⟧‖ ⟦𝑎 =_{𝐴𝑏⟧ ∶≡ ‖𝑎 =𝐴𝑏‖}

Note that although the introduction rule of dependent pairs requires the first component of a pair to be of sort Type, singleton-elimination for conjunction is preserved. Indeed, the first and second projections out of a truncated pair of propositions can be defined as follows:

pfst ∶ ∏_{(𝐴 𝐵∶Prop)→ {‖{𝐴} ∗ {𝐵}‖} → 𝐴}

pfst ∶≡ 𝜆(𝐴 𝐵 ∶ Prop). 𝜆𝑡∶ {‖{𝐴} ∗ {𝐵}‖} . let |𝑥| ≔ 𝑡.prf in (pr1𝑥).prf

psnd ∶ ∏_{(𝐴 𝐵∶Prop)→ {‖{𝐴} ∗ {𝐵}‖} → 𝐵}

psnd ∶≡ 𝜆(𝐴 𝐵 ∶ Prop). 𝜆𝑡∶ {‖{𝐴} ∗ {𝐵}‖} . let |𝑥| ≔ 𝑡.prf in (pr2𝑥).prf

4 Examples, Applications

We can define standard inductive types using the fixpoint operator. For example, the polymorphic list is encoded as follows:

list ∶≡ 𝜆𝐴∶Type_𝑖. 𝜇 𝑋∶Type_𝑖. 1 + 𝐴 ∗ 𝑋 nil ∶≡ inl ⋆

cons ∶≡ 𝜆(𝐴∶Type_𝑖) (ℎ∶𝐴) (𝑡∶ list 𝐴). inr (ℎ, 𝑡)

Its recursion scheme can be constructed in analogy of that of natural numbers 2.6.3.1.

For indexed data types, we propose a different encoding than that of [HS13], taking advantage of the truncated equality. This guarantees a cer-tain canonicity property of the objects of indexed families: If we were to

use the untruncated equality to witness equalities between indices, as their encoding suggests, propositional equality of indexed objects would involve equalities on the proofs constraining the indices. But with primitive induct-ive types these equalities do not occur in the constructors, so they should not matter. Here we give the definition of the type of finite types with n elements and vectors in this encoding.

finite ∶≡ 𝜇 𝐹 ∶ 𝑛𝑎𝑡 → Type₀. 𝜆𝑛∶𝑛𝑎𝑡. ∑_{(𝑚∶𝑛𝑎𝑡){‖𝑛 = S 𝑚‖} + ∑(𝑚∶𝑛𝑎𝑡){‖𝑛 = S 𝑚‖} ∗ 𝐹 𝑚} finz ∶≡ 𝜆𝑛∶𝑛𝑎𝑡. inl (𝑛, prf|refl_𝑛𝑎𝑡S 𝑛|)

f ins ∶≡ 𝜆(𝑚∶𝑛𝑎𝑡) (𝑓 ∶ finite 𝑚). inr (𝑚, (prf|refl_𝑛𝑎𝑡S 𝑚|, 𝑓 ))

vect ∶≡ 𝜆𝐴∶Type_𝑖. 𝜇 𝑉 ∶ 𝑛𝑎𝑡 → Type_{𝑖. 𝜆𝑛∶𝑛𝑎𝑡. {‖𝑛 = O‖} + ∑(𝑚∶𝑛𝑎𝑡){‖𝑛 = S 𝑚‖} ∗ 𝐴 ∗ (𝑉 𝑚)} vnil ∶≡ inl prf|refl_𝑛𝑎𝑡O|

vcons ∶≡ 𝜆(𝐴∶Type_𝑖) (𝑛∶𝑛𝑎𝑡) (ℎ∶𝐴) (𝑡∶ vect 𝐴 𝑛). inr (𝑛, (prf|refl_𝑛𝑎𝑡S 𝑛|, (ℎ, 𝑡))) In order to construct inductive types of sort Prop, we have to take the truncation of a definition in Type. For instance, the predicate 𝑒𝑣𝑒𝑛 is repres-ented as follows:

even ∶≡ ‖𝜇 𝐹 ∶ 𝑛𝑎𝑡 → Type0. 𝜆𝑛∶𝑛𝑎𝑡. {‖𝑛 =𝑛𝑎𝑡0‖} + ∑(𝑚∶𝑛𝑎𝑡){‖𝑛 =𝑛𝑎𝑡S(S 𝑚)‖} ∗ {‖𝐹 𝑚‖}‖

evenO ∶≡ |inl prf|refl𝑛𝑎𝑡O||

evenSS ∶≡ 𝜆(𝑚∶𝑛𝑎𝑡) (𝐻_{𝑟𝑒𝑐∶ {even 𝑚}). |inr (𝑚, ({|refl𝑛𝑎𝑡S(S 𝑚)|} , 𝐻𝑟𝑒𝑐))|} The standard definitions as one would write them in Coq of these types are recalled in Appendix B.

5 Conclusion

We have presented a type theory close to that of Coq with definitional proof-irrelevance. We have tested its validity on the treatment of the classic text-book inductive types. We have verified that we can recover the same reasoning principles for propositions as in Coq, including the singleton rules compatible with definitional proof-irrelevance. The next step will be to give an algorithm for definitional equality and to verify the meta-theory of the system. The verification of such an algorithm might be simplified by a modification to the system, where the only source of impredicativity is truncation.

A References

[Abe13] Andreas Abel. ‘Normalization by Evaluation: Dependent Types and Impredicativity’. HDR. Munich: Institut für Informatik, Ludwig-Maximilians-Universität, 31st May 2013. url: http://www.cse. chalmers.se/~abela/habil.pdf (cited on page 3).

[AS12] Andreas Abel and Gabriel Scherer. ‘On irrelevance and algorithmic equality in predicative type theory’. In: arXiv preprint arXiv:1203.4716 (2012). url: http://arxiv.org/abs/1203.4716 (cited on pages 2,

9).

[Alt99] Thorsten Altenkirch. ‘Extensional equality in intensional type theory’. In: Logic in Computer Science, 1999. Proceedings. 14th

Symposium on. IEEE, 1999, pp. 412–420. url:http://ieeexplore. ieee.org/xpls/abs_all.jsp?arnumber=782636 (cited on page 8). [AMS07] Thorsten Altenkirch, Conor McBride and Wouter Swierstra.

‘Ob-servational equality, now!’ In: Proceedings of the 2007 workshop

on Programming languages meets program verification. ACM,

2007, pp. 57–68. url: http : / / dl . acm . org / citation . cfm ? id = 1292608 (cited on pages 7, 12, 19).

[AG12] Andrea Asperti and Ferruccio Guidi. ‘Type systems for dum-mies’. In: Proceedings of the 8th ACM SIGPLAN workshop on

Types in language design and implementation. ACM, 2012, pp. 79–

90. url: http://dl.acm.org/citation.cfm?id=2103797 (cited on page 9).

[Asp+11] Andrea Asperti, Wilmer Ricciotti, Claudio Coen Sacerdoti and Enrico Tassi. ‘The Matita interactive theorem prover’. In:

Auto-mated Deduction–CADE-23. Springer, 2011, pp. 64–69. url:http: //link.springer.com/chapter/10.1007/978- 3- 642- 22438- 6_7 (cited on page 1).

[AB04] Steven Awodey and Andrej Bauer. ‘Propositions as [types]’. In:

Journal of Logic and Computation 14.4 (2004), pp. 447–471. url:

http : / / logcom . oxfordjournals . org / content / 14 / 4 / 447 . short (cited on pages 2, 6, 9, 18).

[Bar97] Henk Barendregt. ‘The Impact of the Lambda Calculus in Logic and Computer Science’. In: Bulletin of Symbolic Logic 3.02 (June 1997), pp. 181–215. issn: 1079-8986, 1943-5894. doi: 10.2307/ 421013. url: http : / / www . journals . cambridge . org / abstract _ S1079898600007599 (cited on page 5).

[BW05] Henk Barendregt and Freek Wiedijk. ‘The challenge of computer mathematics’. In: Philosophical Transactions of the Royal

Soci-ety A: Mathematical, Physical and Engineering Sciences 363.1835

(2005), pp. 2351–2375. url:http://rsta.royalsocietypublishing. org/content/363/1835/2351.short(cited on page 4).

[BB08] Bruno Barras and Bruno Bernardo. ‘The implicit calculus of con-structions as a programming language with dependent types’. In:

Foundations of Software Science and Computational Structures.

Springer, 2008, pp. 365–379. url: http://link.springer.com/ chapter/10.1007/978-3-540-78499-9_26 (cited on page 9). [BC04] Yves Bertot and Pierre Castéran. Interactive Theorem Proving

and Program Development. Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer

Verlag, 2004 (cited on page 23).

[CDP14] Jesper Cockx, Dominique Devriese and Frank Piessens. ‘Pattern matching without K’. In: International Conference on Functional

Programming (ICFP 2014). ACM, Sept. 2014. url: https : / / lirias.kuleuven.be/handle/123456789/452283 (cited on page 7). [Con+86] Robert L. Constable et al. Implementing Mathematics with the

Nuprl Proof Development System. NJ: Prentice-Hall, 1986 (cited

on pages 1, 7).

[Coq12] Coq Development Team. ‘The Coq proof assistant reference manual, version 8.4’. 2012. url: http://coq.inria.fr/refman/ (cited on page 1).

[Dyb94] Peter Dybjer. ‘Inductive families’. In: Formal aspects of

comput-ing 6.4 (1994), pp. 440–465. url: http : / / link . springer . com / article/10.1007/BF01211308 (cited on page 4).

[Hed98] Michael Hedberg. ‘A coherence theorem for Martin-Löf’s type theory’. In: Journal of Functional Programming 8.04 (1998), pp. 413– 436. url:http://journals.cambridge.org/abstract_S0956796898003153 (cited on page 18).

[HS13] Hugo Herbelin and Arnaud Spiwack. ‘The Rooster and the Syn-tactic Bracket’. In: arXiv preprint arXiv:1309.5767 (2013). url: http://arxiv.org/abs/1309.5767(cited on pages 2, 4, 9, 10, 19, 25).

[Hof97] Martin Hofmann. ‘Proof irrelevance and subset types’. In:

Ex-tensional Constructs in InEx-tensional Type Theory. Springer, 1997,

pp. 89–113. url: http://link.springer.com/chapter/10.1007/ 978-1-4471-0963-1_4 (cited on pages 2, 8).

[HS96] Martin Hofmann and Thomas Streicher. ‘The Groupoid Inter-pretation of Type Theory’. In: In Venice Festschrift. Oxford Uni-versity Press, 1996, pp. 83–111 (cited on page 7).

[LW11] Gyesik Lee and Benjamin Werner. ‘Proof-irrelevant model of CC with predicative induction and judgmental equality’. In: arXiv

preprint arXiv:1111.0123 (2011). url: http://arxiv.org/abs/ 1111.0123(cited on page 9).

[Mar98] Per Martin-Löf. ‘An intuitionistic theory of types’. In:

Twenty-five years of constructive type theory 36 (1998), pp. 127–172

(cited on page 6).

[Mar75] Per Martin-Löf. ‘An Intuitionistic Theory of Types: Predicative Part’. In: Studies in Logic and the Foundations of Mathematics. Ed. by H.E. Rose and J.C. Shepherdson. Vol. Volume 80. El-sevier, 1975, pp. 73–118. isbn: 0049-237X. url: http : / / www . sciencedirect . com / science / article / pii / S0049237X08719451 (cited on page 8).

[Mar82] Per Martin-Löf. ‘Constructive Mathematics and Computer Pro-gramming’. In: Studies in Logic and the Foundations of

Mathem-atics. Ed. by Jerzy Łoś L. Jonathan Cohen Helmut Pfeiffer and

Klaus-Peter Podewski. Vol. Volume 104. Elsevier, 1982, pp. 153– 175. isbn: 0049-237X. url: http : / / archive - pml . github . io / martin lof / pdfs / Constructive mathematics and computer -programming-1982.pdf (cited on page 6).

[McB99] Conor McBride. ‘Dependently Typed Functional Programs and their Proofs’. PhD. University of Edinburgh, 1999. url: http : // www .lfcs.informatics .ed .ac.uk /reports/ 00/ECS- LFCS - 00-419/(cited on page 1).

[MW03] Alexandre Miquel and Benjamin Werner. ‘The not so simple proof-irrelevant model of CC’. In: Types for proofs and programs. Springer, 2003, pp. 240–258. url: http://link.springer.com/ chapter/10.1007/3-540-39185-1_14(cited on pages 2, 9). [Ned94] R. P Nederpelt. Selected papers on Automath. Amsterdam; New

York: Elsevier, 1994. isbn: 0-444-89822-0 978-0-444-89822-7 (cited on pages 2, 4, 8).

[Nor07] Ulf Norell. Towards a practical programming language based on

dependent type theory. Göteborg: Chalmers Univ. of Technology,

2007. isbn: 978-91-7291-996-9 91-7291-996-5 (cited on page 1). [Pau96] C. Paulin-Mohring. ‘Définitions Inductives en Théorie des Types

d’Ordre Supérieur’. HDR. Dec. 1996. url: http://www.lri.fr/ %20paulin/PUBLIS/habilitation.ps.gz(cited on page 24). [Pfe01] Frank Pfenning. ‘Intensionality, extensionality, and proof

irrel-evance in modal type theory’. In: Logic in Computer Science,

2001. Proceedings. 16th Annual IEEE Symposium on. IEEE,

2001, pp. 221–230. url: http : / / ieeexplore . ieee . org / xpls / abs_all.jsp?arnumber=932499(cited on pages 2, 9).

[Pol94] Robert Pollack. ‘The Theory of LEGO: A Proof Checker for the Extended Calculus of Constructions’. Univ. of Edinburgh, 1994. url: http://homepages.inf.ed.ac.uk/rpollack/export/thesis. ps.gz (cited on page 1).

[Pro13] The Univalent Foundations Program. ‘Homotopy Type Theory:

Univalent Foundations of Mathematics’. In: arXiv preprint arXiv:1308.0729 (2013). url: http://arxiv.org/abs/1308.0729 (cited on pages 2,

7).

[SU06] Morten Heine Sørensen and Paweł Urzyczyn. Lectures on the

Curry-Howard isomorphism. Amsterdam; Boston [MA]: Elsevier,

2006. isbn: 978-0-444-52077-7 0-444-52077-5 978-0-08-047892-0 0-08-047892-1. url: http : / / www . sciencedirect . com / science / book/9780444520777 (cited on page 6).

[Soz07] Matthieu Sozeau. ‘Subset coercions in Coq’. In: Types for Proofs

and Programs. Springer, 2007, pp. 237–252. url: http://link. springer.com/chapter/10.1007/978-3-540-74464-1_16 (cited on page 6).

[Soz08] Matthieu Sozeau. ‘Un environnement pour la programmation avec types dépendants’. Orsay, France: Université Paris 11, Dec. 2008 (cited on page 1).

[Thi86] Thierry Coquand. ‘An Analysis of Girard’s Paradox’. In: In

Sym-posium on Logic in Computer Science. IEEE Computer Society

Press, 1986, pp. 227–236 (cited on page 6).

[Wer06] Benjamin Werner. ‘On the strength of proof-irrelevant type the-ories’. In: Automated Reasoning. Springer, 2006, pp. 604–618. url: http://link.springer.com/chapter/10.1007/11814771_49 (cited on pages 2, 6, 9, 19).

B Inductive Definitions in Coq

Inductive list (A : Type) : Type := | nil : list A

| cons : A → list A → list A Inductive finite: nat -> Set := | finz: ∀ n, finite (S n)

| fins: ∀ n, finite n -> finite (S n). Inductive vect (A : Type) : nat -> Type := | vnil : vect A 0

| vcons : forall n, A -> vect A n -> vect A (S n). Inductive even : nat -> Prop :=

| evenO : even 0